Re: NAC Policy for OS Boot vs Initial Boot

network_geek1979 · ‎02-16-2023

Folks,
I needed some suggestion on Policies getting applied when the 802.1x authentication kicks in vs Initial Boot by a system.

Our policies say that once the 802.1x authentication succeeds allow the machine to get authorized on the "Employee VLAN". This policy works just fine, but the catch here is when the system performs an initial boot the system does not get in the "Employee VLAN", which is expected as the OS cannot perform a 802.1x authentication.

Any suggestions to overcome this challenge?

Thanks!
N.

balaji.bandi · ‎02-16-2023

You mean PXE boot ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

network_geek1979 · ‎02-16-2023

Hi BB,
No not PXE boot. This is just the initial boot screen, i.e. when the Laptop is first powered on.
(Or for that matter it is left idle for some time....even here we seen at times the "Employee VLAN" gets lost and the Laptop for in the "Guest VLAN")

Thanks!
N

ahollifield · ‎02-16-2023

I assume you are doing user auth? If so there is no 802.1X transaction by design until a user logs into the system. You should also enable machine authentication if you need to provide network access before login. That being said, why change VLANs at all? Why not use a dACL or some other enforcement method?

network_geek1979 · ‎03-02-2023

@ahollifield : Thanks for the answer and apologies for the late response.
Any details you can share on machine authentication? This is new to us and would like to check how this can work.
Thanks a ton.

Regards,

N!

ahollifield · ‎03-02-2023

These are windows endpoints correct? If so enable "Computer Authentication" in the supplicant configuration.

hslai · ‎03-12-2023

@network_geek1979 Adding to what ahollifield suggested...

Configuring 802.1x Authentication for Windows Deployment at A. Gross Blog might be of interest to you.